Profiles for connection security

If connection security is active, we must define profiles in the MQCONN class and permit the necessary groups or user IDs access to those profiles, so that they can connect to IBM MQ .

To enable a connection to be made, we must grant users RACF READ access to the appropriate profile. (If no queue manager level profile exists, and your queue manager is a member of a queue sharing group, checks might be made against queue sharing group level profiles, if the security is set up to do this.)

A connection profile qualified with a queue manager name controls access to a specific queue manager and users given access to this profile can connect to that queue manager. A connection profile qualified with queue sharing group name controls access to all queue managers within the queue sharing group for that connection type. For example, a user with access to QS01.BATCH can use a batch connection to any queue manager in queue sharing group QS01 that has not got a queue manager level profile defined. Note:
  1. For information about the user IDs checked for different security requests, see User IDs for security checking on z/OS.
  2. Resource level security (RESLEVEL) checks are also made at connection time. For details, see The RESLEVEL security profile.

IBM MQ security recognizes the following different types of connection:

  • Batch (and batch-type) connections, these include:

    • z/OS batch jobs
    • TSO applications
    • USS sign-ons
    • Db2 stored procedures

  • CICS connections
  • IMS connections from control and application processing regions
  • The IBM MQ channel initiator

Parent topic: Profiles used to control access to IBM MQ resources